On 30/01/2020 14.41, Sabrina Dubroca wrote:
2020-01-30, 14:30:46 +0100, Oliver Hartkopp wrote:
Since commit 8df9ffb888c ("can: make use of preallocated can_ml_priv for per
device struct can_dev_rcv_lists") the device specific CAN receive filter lists
are stored in netdev_priv() and dev->ml_priv points to these filters.
In the bug report Syzkaller enslaved a vxcan1 CAN device and accessed the
bonding device with a PF_CAN socket which lead to a crash due to an access of
an unhandled bond_dev->ml_priv pointer.
Deny to enslave CAN devices by the bonding driver as the resulting bond_dev
pretends to be a CAN device by copying dev->type without really being one.
Does the team driver have the same problem?
Good point!
From a first look into team_setup_by_port() in team.c I would say YES :-)
Thanks for watching out! I would suggest to wait for some more feedback
and upstream of this fix.
Best regards,
Oliver
